Memory card and data distribution system using it

ABSTRACT

A memory card ( 110 ) conducts an authentication process with a server based on data stored in an authentication data hold unit ( 1400 ). The memory card ( 110 ) extracts a first session key (Ks 1 ) from a server by a decryption process and a transaction ID from the data applied on a data bus (BS 3 ). The memory card ( 110 ) generates a second session key (Ks 2 ) through a session key generation unit ( 1418 ), and transmits to the server, as the keys to encrypt content data in receiving decryption of content data, the second session key (Ks 2 ) and a key (KPm( 1 )) unique to the memory card ( 110 ) in an encrypted state with the first session key (Ks 1 ). The transaction ID and the second session key (Ks 2 ) stored in the log memory ( 1460 ) are used in the redistribution process.

TECHNICAL FIELD

[0001] The present invention relates to a memory card that allowsprotection on copyrights with respect to copied information in aninformation distribution system to distribute information to terminalssuch as cellular phones, and a distribution system using such a memorycard.

BACKGROUND ART

[0002] By virtue of the progress in information communication networksand the like such as the Internet in these few years, each user can noweasily access network information through individual-oriented terminalsemploying a cellular phone or the like.

[0003] In such information communication, information is transmittedthrough digital signals. It is now possible to obtain copied music andvideo information transmitted via the aforementioned informationcommunication network without degradation in the audio quality andpicture quality of the copy data, even in the case where the copyoperation is performed by an individual user.

[0004] Thus, there is a possibility of the copyright of the copyrightowner being significantly infringed unless some appropriate measures toprotect copyrights are taken when any content data subject to copyrightprotection such as music and image information is to be transmitted onthe information communication network.

[0005] However, if copyright protection is given top priority so thatdistribution of content data through the disseminating digitalinformation communication network is suppressed, the copyright owner whocan essentially collect a predetermined copyright royalty for copies ofa copyrighted work will also incur some disbenefit.

[0006] In the case where content data such as music data is distributedthrough a digital information communication network as described above,each user will record the distributed data onto some recordingapparatus, and then reproduce the data using a reproduction apparatus.

[0007] Such recording apparatuses include, for example, a medium thatcan have data written and erased electrically such as a memory card.

[0008] As the apparatus to reproduce distributed music data, thecellular phone per se used to receive such data distribution can beemployed, or when the recording apparatus such as a memory card isdetachable from the apparatus that receives distribution, a dedicatedreproduction apparatus can be used.

[0009] In the case where distribution of content data such as music datais to be received through a digital information communication network,particularly through a radio communication network, the communicationmay be cut off before the music data is completely distributed dependingupon the state of the communication line. In the case where encryptedcontent data which is an encrypted version of content data is decryptedand reproduction information required for reproduction is to bedistributed, any disruption in communication during distribution of theencrypted content data can be mended by establishing connection againand continuing data reception. Since the accounting process towards theuser is carried out simultaneously in distributing reproductioninformation, the user will request retransmission of the reproductioninformation after connection is established again with respect to suchdisrupted communication. However, reproduction information should not beretransmitted incautiously in response to a request from the standpointof protecting the rights of copyright owners. However, if retransmissionis not conducted, the user will not be able to obtain the reproductioninformation even though the accounting process has been effected.

DISCLOSURE OF THE INVENTION

[0010] An object of the present invention is to provide a datadistribution system that can complete distribution of reproductioninformation even in the case where communication is disrupted beforecomplete distribution of reproduction information by resumingcommunication upon protecting the rights of copyright owners, and a datarecording device such as a memory card used in such a data distributionsystem.

[0011] A data recording device of the present invention to achieve theabove object receives and records, through a communication path,reproduction information associated with reproduction of encryptedcontent data, including a content key to decrypt the encrypted contentdata into plaintext. The data recording device includes a datacommunication unit, a first storage unit, an information extractionunit, a second storage unit and a control unit.

[0012] The data communication unit establishes an encryptioncommunication path that can transmit encrypted information with thetransmission source of the reproduction information to receive thereproduction information supplied to a data recording apparatusindividually apart from encrypted content data and transmitted in anencrypted state. The first storage unit stores data associated with thereproduction information applied from the data communication unit. Theinformation extraction unit carries out the process of storing the dataassociated with the reproduction information from the data communicationunit into the first storage unit, and extracting reproductioninformation based on data stored in the first storage unit. The secondstorage unit records a reception log indicating the processing status ofa reception process to receive and record reproduction information intothe first storage unit. The reception log information is generated atthe transmission source of the reproduction information every time areproduction information distribution process is conducted andtransmitted to the data recording apparatus, and includes communicationidentify information to identify a reproduction information distributionprocess. The control unit controls the operation of the data recordingapparatus. The control unit transmits the reception log informationrecorded in the second storage unit to the data communication unit inresponse to a request.

[0013] Preferably, the data communication unit includes a first key holdunit, a first decryption processing unit, a second key hold unit, a keygeneration unit, a first encryption processing unit, and a seconddecryption processing unit. The first key hold unit stores a firstprivate decryption key to decrypt data that is encrypted using apredetermined first public encryption key corresponding to a datarecording apparatus. The first decryption processing unit receives anddecrypts a first symmetric key that is updated and transmitted from thetransmission source of the reproduction information for eachcommunication of the reproduction information, and encrypted using thefirst public encryption key. The second key hold unit stores a secondpublic encryption key unique to each data recording apparatus. The keygeneration unit generates a second symmetric key updated for eachcommunication of the reproduction information. The first encryptionprocessing unit encrypts the second public encryption key and secondsymmetric key based on the first symmetric key for output. The seconddecryption processing unit receives reproduction information encryptedwith the second public encryption key and further encrypted with asecond symmetric key to decrypt the same based on the second symmetrickey. The information extraction unit includes a third key hold unit anda third decryption processing unit. The third key hold unit stores asecond private decryption key to decrypt data encrypted by the secondpublic encryption key. The third decryption processing unit carries outa decryption process for the second private decryption key in theprocedure from the process of storing data associated with reproductioninformation into the first storage unit to the process of extractingreproduction information. The first storage unit stores the output ofthe second decryption processing unit or reproduction information basedon the output of the second decryption processing unit.

[0014] According to another aspect of the present invention, a datadistribution system includes a data supply apparatus and a plurality ofterminals.

[0015] The data supply apparatus supplies individually respectiveencrypted content data, and reproduction information including a contentkey which is a decryption key associated with reproduction of encryptedcontent data and used to decrypt the encrypted content data intoplaintext. The data supply apparatus includes a distribution controlunit, a distribution information hold unit, a first interface unit, afirst session key generation unit, a session key encryption unit, asession key decryption unit, a first license data encryption processingunit, a second license data encryption processing unit, and adistribution log information hold unit. The distribution control unitprovides control of the data supply apparatus. The distributioninformation hold unit stores encrypted content data and reproductioninformation. The first interface unit transmits/receives data to/from anexternal source. The first session key generation unit generates a firstsymmetric key updated for each distribution of reproduction informationto a terminal. The session key encryption unit encrypts and provides tothe first interface unit a first symmetric key using a first publicencryption key predefined corresponding to a user's terminal. Thesession key decryption unit decrypts the second public encryption keyand second symmetric key transmitted in an encrypted state by a firstsymmetric key. The first license data encryption processing unitencrypts reproduction information to reproduce encrypted content datausing a second public encryption key encrypted by a session keydecryption unit. The second license data encryption processing unitencrypts the output of the first license data encryption processing unitusing a second symmetric key, and applies the encrypted output to thefirst interface unit for distribution. The distribution log informationhold unit records a distribution log indicating the processing status ofthe current distribution process. The distribution log information isgenerated at the data supply apparatus every time a reproductioninformation distribution process is conducted, and includescommunication identify information to identify a reproductioninformation distribution process. The plurality of terminals receivedistribution through a communication path from the content data supplyapparatus, and correspond to a plurality of users, respectively. Eachterminal includes a second interface unit, a reception control unit, anda data storage unit. The second interface unit transmits/receives datato/from an external source. The reception control unit controls the datatransfer with an external source. The data storage unit receives andstores encrypted content data and reproduction information. The datastorage unit includes a first key hold unit, a first decryptionprocessing unit, a second key hold unit, a key generation unit, a firstencryption processing unit, a second decryption processing unit, a firststorage unit, a third key hold unit, a third decryption processing unit,and a second storage unit. The first key hold unit stores a first secretencryption key to decrypt data that is encrypted with a predeterminedfirst public encryption key corresponding to the data storage unit. Thefirst decryption processing unit receives a first symmetric key that isupdated and distributed for each communication of the reproductioninformation, and encrypted using the first public encryption key, andapplies a decryption process. The second key hold unit stores a secondpublic encryption key differing for each data storage unit. The keygeneration unit generates a second symmetric key updated for eachcommunication of the reproduction information. The first encryptionprocessing unit encrypts and outputs the second public encryption keyand second symmetric key based on the first symmetric key. The seconddecryption processing unit receives reproduction information encryptedwith the second public encryption key and further encrypted with thesecond symmetric key, and decrypts the reproduction information based onthe second symmetric key. The first storage unit stores reproductioninformation based on the output of the second decryption processingunit. The third key hold unit stores a second private decryption key todecrypt data encrypted with the second public encryption key. The thirddecryption processing unit applies a decryption process for the secondprivate decryption key in the procedure of the process of storing dataassociated with reproduction information to the first storage unit tothe process of extracting reproduction information. The second storageunit records a reception log indicating the processing status in thedistribution process of reproduction information, and includingcommunication identify information. The reception control unit controlsthe redistribution process based on the reception log when thecommunication path is cut off during a distribution process. The firststorage unit stores an output of the second decryption processing unitor reproduction information based on an output of the second decryptionprocessing unit. The reception control unit transmits the reception loginformation to the data supply apparatus when the communication path iscut off during a distribution process, and the distribution control unitcontrols a redistribution process based on the reception log informationand the distribution log information when the communication path is cutoff during a distribution process.

[0016] According to another aspect of the present invention, a datasupply apparatus is provided to supply reproduction information to aplurality of terminals corresponding to a plurality of users,respectively, including a data storage unit to record reproductioninformation associated with reproduction of encrypted content data,including a content key which is a decryption key to decrypt encryptedcontent data into plaintext, supplied individually apart from encryptedcontent data, and reception log information indicating a processingstatus in a distribution process in the distribution process ofreceiving and recording reproduction information, and includingcommunication identify information. The data supply apparatus includes adistribution information hold unit, a first interface unit, a firstsession key generation unit, a session key encryption unit, a sessionkey decryption unit, a first license data encryption processing unit, asecond license data encryption processing unit, a distribution loginformation hold unit, and a distribution control unit.

[0017] The distribution information hold unit stores content data andreproduction information. The first interface unit transfers data withan external source. The first session key generation unit generates afirst symmetric key that is updated for each distribution ofreproduction information to a terminal. The session key encryption unitencrypts the first symmetric key using a first public encryption keypredefined corresponding to a user's terminal, and provides theencrypted key to the first interface unit. The session key decryptionunit decrypts the second public encryption key and second symmetric keytransmitted in an encrypted state by the first symmetric key.

[0018] The first license data encryption processing unit encryptsreproduction information to reproduce encrypted content data using asecond public encryption key decrypted by the session key decryptionunit. The second license data decryption processing unit encrypts theoutput of first license data encryption processing unit using a secondsymmetric key, and applies the encrypted key to the first interface unitfor distribution. The distribution log information hold unit recordsdistribution log information indicating a processing status during adistribution process, and including communication identify information.The distribution control unit controls the operation of the data supplyapparatus to generate and transmit to the terminal communicationidentify information to identify a reproduction information distributionprocess every time a reproduction information distribution process isconducted. The distribution control unit controls the redistributionprocess in response to confirmation of a redistribution request from theterminal that was communicating prior to cut off, based on the receptionlog information recorded in the data storage unit and transmitted from aterminal and distribution log information when the communication path iscut off during a distribution process.

[0019] Both the server and memory card store the distribution historyand distribution status in a distribution system using the datareproduction apparatus and a memory card employed in the distributionsystem of the present invention. Therefore, information can beretransmitted by resuming communication even in the case wherecommunication is disrupted during distribution. The reliability of thedistribution process can be improved.

BRIEF DESCRIPTION OF THE DRAWINGS

[0020]FIG. 1 is a diagram to schematically describe an entire structureof a data distribution system of the present invention.

[0021]FIG. 2 is a diagram to describe the characteristics of data andinformation used in communication in the data distribution system ofFIG. 1.

[0022]FIG. 3 is a schematic block diagram showing a structure of alicense server 10.

[0023]FIG. 4 is a schematic block diagram showing a structure of acellular phone 100.

[0024]FIG. 5 is a schematic block diagram showing a structure of amemory card 110.

[0025]FIG. 6 is a first flow chart to describe a distribution operationin the data distribution system of a first embodiment.

[0026]FIG. 7 is a second flow chart to describe a distribution operationin the data distribution system of the first embodiment.

[0027]FIG. 8 is a third flow chart to describe a distribution operationin the data distribution system of the first embodiment.

[0028]FIG. 9 is a flow chart to describe a reconnection process.

[0029]FIG. 10 is a first flow chart to describe a second reconnectionoperation of the data distribution system according to the firstembodiment.

[0030]FIG. 11 is a second flow chart to describe a second reconnectionoperation of the data distribution system according to the firstembodiment.

[0031]FIG. 12 is a third flow chart to describe a second reconnectionoperation of the data distribution system according to the firstembodiment.

[0032]FIG. 13 is a flow chart to describe a third reconnection operationof the data distribution system according to the first embodiment.

[0033]FIG. 14 is a flow chart to describe a reconnection process.

[0034]FIG. 15 is a first flow chart to describe a distribution operationin the event of purchasing content in the data distribution systemaccording to a second embodiment.

[0035]FIG. 16 is a second flow chart to describe a distributionoperation in the event of purchasing content in the data distributionsystem according to the second embodiment.

[0036]FIG. 17 is a third flow chart to describe a distribution operationin the event of purchasing content in the data distribution systemaccording to the second embodiment.

[0037]FIG. 18 is a first flow chart to describe a second reconnectionoperation of the data distribution system of the second embodiment.

[0038]FIG. 19 is a second flow chart to describe a second reconnectionoperation of the data distribution system of the second embodiment.

[0039]FIG. 20 is a third flow chart to describe a second reconnectionoperation of the data distribution system of the second embodiment.

[0040]FIG. 21 is a first flow chart to describe a second reconnectionoperation of the data distribution system according to a thirdembodiment of the present invention.

[0041]FIG. 22 is a second flow chart to describe a second reconnectionoperation of the data distribution system according to the thirdembodiment of the present invention.

[0042]FIG. 23 is a third flow chart to describe a second reconnectionoperation of the data distribution system according to the thirdembodiment of the present invention.

[0043]FIG. 24 is a fourth flow chart to describe a second reconnectionoperation of the data distribution system according to the thirdembodiment of the present invention.

BEST MODES FOR CARRYING OUT THE INVENTION

[0044] Embodiments of the present invention will be describedhereinafter with reference to the drawings.

First Embodiment

[0045]FIG. 1 is a diagram to describe schematically an entire structureof the data distribution system of the present invention.

[0046] In the following, a data distribution system distributing musicdata to each user via a cellular phone network will be described as anexample. However, as will become apparent from the followingdescription, the present invention is not limited to such a case. Thepresent invention is applicable to distribute content data correspondingto other copyrighted works such as book telling data, image data, videodata, educational data, and the like, and further applicable to the caseof distributing through other digital information communicationnetworks.

[0047] Referring to FIG. 1, a license server 10 administratingcopyrighted music data encrypts music data (also called “content data”hereinafter) according to a predetermined encryption scheme, andprovides such encrypted content data to a cellular phone company whichis a distribution carrier 20 to distribute information. Anauthentication server 12 challenges the authenticity of the user'sapparatus establishing access for distribution of content data.

[0048] Cellular phone company 20 relays a distribution request from eachuser to license server 10 through its own cellular phone network. Inresponse to a distribution request, license server 10 verifies theauthenticity of the user's apparatus through authentication server 12,and distributes content data to respective user's cellular phone via thecellular phone network of cellular phone company 20 after the requestedmusic data has been further encrypted.

[0049]FIG. 1 corresponds to a structure in which a detachable memorycard 110 is loaded in a cellular phone 100 of a user 1. Memory card 110receives the encrypted content data through cellular phone 100 andapplies decryption on the above encryption, and then provides thedecrypted data to the music reproduction unit (not shown) in cellularphone 100.

[0050] User 1, for example, can “reproduce” the music data to listen tothe music via a headphone 130 or the like connected to cellular phone100.

[0051] License server 10, authentication server 12, and distributioncarrier (cellular phone company) 20 will generically be referred to as adistribution server 30 hereinafter.

[0052] The process of transmitting content data to each cellular phoneor the like from distribution server 30 is called “distribution”.

[0053] By such a structure, any user that has not purchased a memorycard 110 cannot receive and reproduce distribution data fromdistribution server 30.

[0054] By taking count of the number of times content data of, forexample, one song, is distributed in distribution carrier 20, thecopyright royalty fee induced every time a user receives (downloads)content data can be collected by distribution carrier 20 in the form oftelephone bills of respective cellular phones. Thus, the royalty fee ofthe copyright owner can be ensured.

[0055] Furthermore, since such content data distribution is conductedthrough a cellular phone network, which is a closed system, there is theadvantage that measures to protect copyrights can be taken more easilythan compared to an open system such as the Internet.

[0056] Here, a user 2 possessing a memory card 112, for example, candirectly receive distribution of content data from distribution server30 through his/her own cellular phone 102. However, direct reception ofcontent data or the like from music server 30 is relatively timeconsuming for user 2 since the content data includes a large amount ofinformation. In such a case, it will be convenient for the user ifcontent data can be copied from user 1 that has already receiveddistribution of that content data.

[0057] However, from the standpoint of protecting the rights ofcopyright owners, unscrupulous copying of content data is not allowed onthe basis of system configuration.

[0058] As shown in FIG. 1, the act of letting a user 2 copy the contentdata received by user 1, and transferring together the reproductioninformation to render the relevant content data reproducible to user 2is called “transfer” of music data. In this case, the encrypted contentand reproduction information required for reproduction are transferredbetween memory cards 110 and 112 through cellular phones 100 and 102. Aswill be described afterwards, “reproduction information” includes alicense key that allows decryption of content data encrypted accordingto a predetermined encryption scheme, and license information such asinformation of restriction as to access reproduction and a license IDcorresponding to information related to copyright protection.

[0059] In contrast, the act of copying only content data withouttransferring reproduction information is called “replicate”. Sincereproduction information is not transferred in replication, the userreceiving this replication can render the data reproducible byrequesting distribution of only the reproduction information.Accordingly, distribution of a significant amount of data can beeliminated in the distribution of content data.

[0060] By such a structure, the content data distributed by thedistribution server can be used flexibly at the reception side.

[0061] In the case where cellular phones 100 and 102 are PHSs (PersonalHandy Phones), information can be transferred between user 1 and user 2taking advantage of conversation in the so-called available transceivermode.

[0062] In the structure shown in FIG. 1, the system to render thecontent data distributed in an encrypted manner reproducible at the userside requires: 1) the scheme to distribute an encryption key incommunication, 2) the scheme per se to encrypt distribution data, and 3)a configuration realizing data protection to prevent unauthorizedcopying of the distributed data.

[0063] In the embodiment of the present invention, a distribution systemthat records and stores the status and history of distribution at boththe information transmission side and reception side, and that allowsretransmission of information by resuming communication even whencommunication is disrupted during distribution to improve reliability ofthe distribution process will be described.

System Key and Data Configuration

[0064]FIG. 2 is a diagram to describe the characteristics of the keysassociated with encryption used in communication and data to bedistributed in the data distribution system of FIG. 1.

[0065] The data “Data” distributed by distribution server 30 is contentdata such as music data. The content data is distributed to a user fromdistribution server 30 in the form of encrypted content data {Data}Kcsubject to encryption that can be decrypted using at least a license keyKc.

[0066] In the following, the expression of {Y}X implies informationhaving data Y converted into encryption that can be decrypted using akey X.

[0067] From the distribution server are distributed additionalinformation Data-inf in plaintext such as the information related tocontent data or related to server access and the like, together with thecontent data. Specifically, additional information Data-inf includesinformation to identify the content data such as the song title or thename of the artist and to identify distribution server 30.

[0068] Keys related to the encryption, decryption and reproductionprocess of content data as well as to authentication of a cellular phonewhich is the content reproduction circuit and a memory card which is arecording apparatus are set forth below.

[0069] As mentioned before, there are provided a license key Kc used todecrypt encrypted content data, a public encryption key KPp(n) unique tothe content reproduction circuit (cellular phone 100), and a publicencryption key KPmc(m) unique to a memory card.

[0070] Data encrypted using public encryption keys KPp(n) and KPmc(m)can be decrypted respectively using a secret encryption key Kp(n) uniqueto the content reproduction circuit (cellular phone 100) and a privatedecryption key Kmc(m) unique to the memory card. These unique privatedecryption keys having different contents for each type of cellularphone and each type of memory card. Here the type of cellular phone andmemory card is defined based on the manufacturer thereof, thefabrication time (fabrication lot) and the like. The unit assigned tothe public secret key and private decryption key is referred to as“class.” Natural numbers m,n represent the numbers to discriminate theclass of each memory card and content reproduction circuit (cellularphone).

[0071] Keys operated common to the entire distribution system include asecret common key Kcom used in obtaining license key Kc and restrictioninformation for the reproduction circuit that will be describedafterwards, and an authentication key KPma. Secret common key Kcom isstored at both the distribution sever and the cellular phone.

[0072] Public encryption keys KPmc(m) and KPp(n) specified for eachmemory card and content reproduction circuit can have their authenticityverified by decrypting with authentication key KPma. More specifically,they are recorded in respective memory cards and cellular phones at thetime of shipment in the form of authentication data {KPmc(m)}KPma and{KPp(n)}KPma subject to the authentication process.

[0073] Secret common key Kcom is not restricted to be in the symmetrickey cryptosystem. It can be replaced with the private decryption key orpublic encryption key KPcom in the public key cryptosystem. In thiscase, private key Kcom and public key KPcom are held in cellular phone100 and distribution server 30, respectively, as secret common key.

[0074] Information to control the operation of the apparatusconstituting the system, i.e. cellular phone 100 which is a contentreproduction circuit and memory card 110, includes purchase conditioninformation AC transmitted from cellular phone 100 to distributionserver 30 when a user purchases a license key or the like for thepurpose of specifying the purchase condition, access restrictioninformation AC1 distributed from distribution server 30 towards memorycard 110 according to purchase condition information AC, indicating thenumber of times of accessing license key Kc for reproduction(reproduction permitted times), the number of replicates and transfer oflicense key Kc, and restriction as to copy and transfer, andreproduction circuit restriction information AC2 distributed fromdistribution server 30 to memory card 110, indicating restriction as tothe reproduction condition of the content reproduction circuit, loadedin cellular phone 100. The reproduction condition of the reproductioncircuit implies the condition, for example, of allowing reproduction ofonly the beginning of each content data for a predetermined time such asin the case where a sample is distributed at low price or freely topromote a new song, the reproduction period and the like.

[0075] The keys to administer data processing in memory card 100includes a public encryption key KPm(i) (i: natural number) specifiedfor each memory card, and a private decryption key Km(i) unique to eachmemory card that can decrypt data encrypted with public encryption keyKPm(i). Here, natural number i represents a number to discriminate eachmemory card.

[0076] In the data distribution system of FIG. 1, keys used in datacommunication are set forth below.

[0077] The key to ensure security during data transfer with an externalsource to the memory card or between memory cards includes symmetrickeys Ks1-Ks4 generated at server 30, cellular phone 100 or 102, andmemory card 110 or 112 every time content data distribution,reproduction or transfer is carried out.

[0078] Here, symmetric keys Ks1-Ks4 are unique symmetric keys generatedfor each “session” which is the access unit or communication unit amongthe server, content reproduction circuit or memory card,. In thefollowing, these symmetric keys Ks1-Ks4 are also called “session keys”.

[0079] These session keys Ks1-Ks4 have a unique value for eachcommunication session, and is under control of the distribution server,content reproduction circuit and memory card.

[0080] More specifically, a session key Ks1 is generated for eachdistribution session by distribution server 30. A session key Ks2 isgenerated for each distribution session and transfer (reception side)session of a memory card. Session key Ks3 is generated for eachreproduction session and transfer (transmission side) session in amemory card. A session key Ks4 is generated for each reproductionsession of the cellular phone. The level of security can be improved ineach session by transferring the session keys and receiving a sessionkey generated by another apparatus to perform encryption using thesession keys and transmitting the license decryption key.

[0081] Data transferred with a distribution server includes a content IDfor the system to identify each content data, and a transaction ID whichis a code generated for each distribution session to identify eachdistribution session. It is to be noted that the license ID andtransaction ID can be shared.

[0082] The license ID, content ID and access restriction information AC1are generically referred to as license information. This licenseinformation, license key Kc and reproduction circuit restrictioninformation AC2 are generically referred to as reproduction information.

Configuration of License Server 10

[0083]FIG. 4 is a schematic block diagram showing a structure of licenseserver 10 of FIG. 1.

[0084] License server 10 includes an information database 304 to storecontent data encrypted according to a predetermined scheme as well asdistribution information such as a license ID, an account database 302to store accounting data according to the start of access to contentdata for each user, a log administration database 306 to store loginformation of the license server, a data processing unit 310 receivingdata through a data bus BS1 from information database 304, accountingdatabase 302 and log administration database 306 to apply apredetermined process, and a communication device 350 to transfer databetween distribution carrier 20 and data processing unit 310 via thecommunication network.

[0085] “License distribution log” indicating the distribution history ofthe license information stored in log administration database 306includes the transaction ID, content ID, public encryption key KPmc(n),KPp(n), access restriction information AC1, reproduction circuitrestriction information AC2, public encryption key KPm(i), session keyKs2, and an accounting status flag. The accounting status flag indicateswhether the accounting process for the currently-distributed contentdata has already ended or not.

[0086] Data processing unit 310 includes a distribution control unit 315to control the operation of data processing unit 310 according to thedata on data bus BS1, a session key generation unit 316 to generate asession key Ks1 in a distribution session, under control of distributioncontrol unit 315, a decryption processing unit 312 receiving throughcommunication device 350 and data bus BS1 authentication data{KPmc(n)}KPma and {KPp(n)}KPma sent from a memory card and a cellularphone to apply a decryption process on authentication key KPma, anencryption processing unit 318 encrypting session key Ks1 generated bysession key generation unit 316 using public encryption key KPmc(m)obtained by decryption processing unit 312 to provide the encrypted keyonto data bus BS1, and a decryption processing unit 320 receivingthrough data bus BS1 the data encrypted with session key Ks1 andtransmitted by each user.

[0087] Data processing unit 310 further includes a Kcom hold unit 322storing secret common key Kcom, an encryption processing unit 324encrypting license key Kc and reproduction circuit restrictioninformation AC2 applied from distribution control unit 315 using secretcommon key Kcom, an encryption processing unit 326 to encrypt the dataoutput from encryption processing unit 324 using a public encryption keyKPm(i) unique to the memory card obtained from decryption processingunit 320, and an encryption processing unit 328 further encrypting theoutput of encryption processing unit 326 using a session key Ks2 appliedfrom decryption processing unit 320 to provide the encrypted key ontodata bus BS1.

[0088] In the case where secret common key Kcom is the key of anasymmetric public key cryptosystem, Kcom hold unit 322 stores public keyKpcom, which is the encryption key in the public key cryptosystem,instead of secret common key Kcom in the symmetric key cryptosystem.

Configuration of Cellular Phone 100

[0089]FIG. 4 is a schematic block diagram to describe a structure of acellular phone 100 of FIG. 1.

[0090] In cellular phone 100, the natural number n representing theclass is set to n=1.

[0091] Cellular phone 100 includes an antenna 1102 to receive a signaltransmitted through radio by a cellular phone network, atransmitter/receiver unit 1104 converting the signal received fromantenna 1102 into a base band signal, or modulating and providing toantenna 1102 the data from a cellular phone, a data bus BS2 to transferdata between respective components of cellular phone 100, and acontroller 1106 to control the operation of cellular phone 100 via databus BS2.

[0092] Cellular phone 100 further includes a key board 1108 to applydesignation to cellular phone 100 from an external source, a display1110 to apply the information output from controller 1106 or the like tothe user as visual information, an audio reproduction unit 1112reproducing audio based on reception data provided via data bus BS2 in ageneral conversation operation, a connector 1120 to transfer data withan external source, and an external interface unit 1122 providing thedata from connector 1120 to data bus BS2 for conversion, or to convertthe data from data bus BS2 into a signal that can be applied toconnector 1120.

[0093] Cellular phone further includes a detachable memory card 110storing content data (music data) for a decryption process, a memoryinterface 1200 to control data transfer between memory card 110 and databus BS2, and an authentication data hold unit 1500 storing a publicencryption key KPp(1) set for each cellular phone class in an encryptedstate that can be authenticated by decryption using authentication keyKPma.

[0094] Cellular phone 100 further includes a Kp hold unit 1502 storingprivate decryption key Kp(n) (n=1) which is a encryption key unique tothe cellular phone (content reproduction circuit) class, a decryptionprocessing unit 1504 decrypting the data received from data bus BS2using private decryption key Kp(1), and obtaining session key Ks3generated by the memory card, a session key generation unit 1508generating using a random number a session key Ks4 used to encrypt datatransferred on data bus BS2 with memory card 110 in a session ofreproducing content data stored in memory card 110, an encryptionprocessing unit 1506 encrypting generated session key Ks4 using asession key Ks3 obtained by decryption processing unit 1504, and adecryption processing unit 1510 decrypting the data on data bus BS2using session key Ks4 to output data {Kc//AC2}Kcom.

[0095] Cellular phone 100 further includes a Kcom hold unit 1512 storinga secret common key Kcom, a decryption processing unit 1514 decryptingdata {Kc//AC2}Kcom output from decryption processing unit 1510 usingsecret common key Kcom to output license key Kc and reproduction circuitrestriction information AC2, a decryption processing unit 1516 receivingencrypted content data {Data}Kc from data bus BS2 to decrypt the datausing license key Kc obtained by decryption processing unit 1510 tooutput content data Data, a music reproduction unit 1518 to receivecontent data Data which is the output of decryption processing unit 1516to reproduce content data, a switch unit 1525 receiving the outputs ofmusic reproduction unit 1518 and audio reproduction unit 1112 toselectively provide an output according to the operation mode, and aconnection terminal 1530 receiving the output of mixer unit 1525 forconnection to headphone 130.

[0096] Here, reproduction circuit restriction information AC2 outputfrom decryption processing unit 1514 is applied to controller 1106 viadata bus BS2.

[0097] In FIG. 4, only the blocks associated with distribution andreproduction of music data among the blocks forming the cellular phoneare illustrated for the sake of simplification. Blocks related to thegeneral conversation function inherent to a cellular phone are left out.

Configuration of Memory Card 110

[0098]FIG. 5 is a schematic block diagram to describe a structure ofmemory card 110 of FIG. 1.

[0099] As described before, public encryption key KPm(i) and acorresponding private decryption key Km(i) take unique values for eachmemory card. In memory card 110, it is assumed that the natural numberis set to i=1. Also, KPmc(m) and Kmc(m) are set as the public encryptionkey and secret encryption key unique to the class of the memory card. Inmemory card 110, it is assumed that the natural number m is representedas m=1.

[0100] Memory card 110 includes an authentication data hold unit 1400 tostore authentication data {KPmc(1)}KPma, a Kmc hold unit 1402 storing aunique decryption key Kmc(1) set for each memory card class, a KPm(1)hold unit 1416 to store a unique public encryption key KPm(1) set foreach memory card, and a Km(1) hold unit 1421 storing an asymmetricprivate decryption key Km(1) that can be decrypted using publicencryption key KPm(1). Here, authentication data hold unit 1400 encryptsand stores public encryption key KPmc(1) set for each memory card classusing authentication key KPma in an authenticatable state.Authentication data hold unit 1400 encrypts and stores public encryptionkey KPmc(1) set for each memory card class in a state that can have theauthenticity verified by decryption using authentication key KPma.

[0101] Memory card 110 further includes a data bus BS3 to transfer asignal with memory interface 1200 via a terminal 1202, a decryptionprocessing unit 1404 receiving the data applied from memory interface1200 onto data bus BS3, and receiving a private decryption key Kmc(1)unique to each memory card class from Kmc(1) hold unit 1402, andproviding session key Ks3 generated by the distribution server in adistribution session to contact Pa, a decryption processing unit 1408receiving authentication key KPma from KPma hold unit 1443 to execute adecryption process using authentication key KPma from the data appliedon data bus BS3 and providing the decrypted result to encryptionprocessing unit 1410, and an encryption processing unit 1406 encryptingdata selectively applied from switch 1444 using a key selectivelyapplied by switch 1442, and providing the encrypted data onto data busBS3.

[0102] Memory card 110 further includes a session key generation unit1418 generating a session key at each distribution, reproduction andtransfer session, an encryption processing unit 1410 encrypting thesession key output from session key generation unit 1418 using publicencryption key KPp(n) obtained by encryption processing unit 1408 tooutput the encrypted key onto data bus BS3, and a decryption processingunit 1412 receiving encrypted data on data bus BS3 to apply a decryptionprocess using session key Ks3 obtained by session key generation unit1418, and providing the decrypted result to data bus BS4.

[0103] Memory card 110 further includes an encryption processing unit1424 encrypting the data on data bus BS4 using a public encryption keyKPm(i) (i is 1 or number j of another memory card) unique to the memorycard, a decryption processing unit 1422 to decrypt the data on data busBS4 using a secret encryption key Km(1) unique to memory card 110 thatis the companion to public encryption key KPm(1), and a memory 1415receiving and storing from data bus BS4 a portion of the reproductioninformation encrypted with public encryption key KPm(1) (contentdecryption key Kc, content ID, license ID access control informationAC1, reproduction circuit control information AC2), as well as receivingand storing encrypted content data {Data}Kc.

[0104] Memory card 110 further includes a license information hold unit1440 storing license information obtained by decryption processing unit1422 (transaction ID, content ID and access restriction informationAC1), a log memory 1460 to store the log of the transmission/receptionof the reproduction information in the memory card, and a controller1420 transferring data with an external source via data bus BS3 toreceive reproduction information and the like with data bus BS4 tocontrol the operation of memory card 110.

[0105] “Reception log” indicating the reception status of thereproduction information stored in log memory 1460 includes thetransaction ID, session key Ks2, and the like. In the first embodiment,the reception log information corresponds to data generated in the eventof license reception, and is erased when reception and storage of thereproduction information to memory card 110 are completed.

[0106] It is assumed that the region TRM enclosed by the solid line inFIG. 5 is incorporated in a module TRM to disable readout of data andthe like in the circuit located in that region by a third party byerasing the internal data or destroying the internal circuitry when animproper open process is conducted from an external source. Such amodule is generally a tamper resistant module.

[0107] A structure may be implemented in which memory 1415 is alsoincorporated in module TRM. However, since the data stored in memory1415 is completely encrypted according to the structure shown in FIG. 6,a third party will not be able to reproduce the music with just the datain memory 1415. Furthermore, it is not necessary to provide memory 1415in the expensive tamper resistance module. Thus, there is the advantagethat the fabrication cost is reduced.

Distribution Operation

[0108] The operation in each session of the data distribution systemaccording to an embodiment of the present invention will be described indetail hereinafter with reference to the flow charts.

[0109]FIGS. 6, 7 and 8 are the first, second and third flow charts,respectively, to describe a distribution operation in the event ofpurchasing content according to the data distribution system of thefirst embodiment (also called “distribution session” hereinafter).

[0110] FIGS. 6-8 correspond to the operation of user 1 receiving contentdata distribution from distribution server 30 via cellular phone 100using memory card 110.

[0111] First, a distribution request is issued from cellular phone 100of user 1 through the operation of the key buttons on touch key unit1108 by user 1 (step S100).

[0112] At memory card 110, authentication data {KPmc(1)}KPma is outputfrom authentication data hold unit 1400 in response to the distributionrequest (step S102).

[0113] Cellular phone 100 transmits to distribution server 30authentication data {KPp(1)}KPma for authentication of cellular phone100 per se, the content ID and license purchase condition AC in additionto authentication data {KPmc(1)}KPma accepted from memory card 110 forauthentication (step S104).

[0114] Distribution server 30 receives the content ID, authenticationdata {KPmc(1)}KPma, {KPp(1)}KPma, license purchase condition data ACfrom cellular phone 100 (step S106). Decryption processing unit 312executes a decryption process using authentication key KPma.Accordingly, distribution server 30 accepts public encryption keyKPmc(1) of memory card 110 and KPp(1) which is the public encryption keyof cellular phone 100 (step S108).

[0115] Distribution control unit 315 conducts authentication byauthentication server 12 based on the accepted secret encryption keysKPmc(1) and KPp(1) (step S110). When these public encryption keys arevalid, control proceeds to the next process (step S112). When thesepublic secret keys are invalid, the process ends (step S170).

[0116] In verifying the authenticity of public encryption key KPp(1) orKPmc(1) in the decryption process by authentication key KPma,authentication server 12 performs the authentication. Since publicencryption key KPp(1) or KPmc(1) is encrypted so that its authenticitycan be determined by decrypting using authentication key KPma, astructure may be implemented in which distribution control unit 315 oflicense server 10 performs authentication from the decryption resultusing authentication key KPma.

[0117] When verification is made that the distribution is towards aproper memory card as a result of authentication, distribution controlunit 315 generates a transaction ID to identify the distribution session(step S112).

[0118] When verification is made that the distribution is towards aproper memory card as a result of authentication, distribution controlunit 315 also records the transaction ID, content ID, public encryptionkeys KPmc(1) and KPp(1) in administration database 306 together with theinformation indicating unsettled accounting (accounting status flag) asthe license distribution log (step S113).

[0119] At distribution server 30, session key generation unit 316generates a session key Ks1 for distribution. Session key Ks1 isencrypted by encryption processing unit 318 using a public encryptionkey KPmc(1) corresponding to memory card 110 obtained from decryptionprocessing unit 312.

[0120] The transaction ID and encrypted session key {Ks1}Kmc(1) areoutput via data bus BS1 and communication device 350 (step S116).

[0121] Upon reception of the transaction ID and encrypted session key{Ks1}Kmc(1) at cellular phone 100, (step S118), the received data isapplied onto data bus BS3 via memory interface 1200 in memory card 110.Decryption processing unit 1404 decrypts {Ks1}Kmc(1) using a privatedecryption key Kmc(1) unique to memory card 110 stored in hold unit1402, whereby session key Ks1 is decrypted and extracted. As a result,the transaction ID and session key Ks1 are accepted (step S120).

[0122] The procedure up to step S120 is referred to as the “transactionID obtain step”.

[0123] Referring to FIG. 7, upon confirmation of the acceptance ofsession key Ks1 generated at distribution server 30, controller 1420designates session key generation unit 1418 to generate a session keyKs2 generated in the distribution operation of the memory card.Controller 1420 also records in log memory 1460 session key Ks2 togetherwith the received transaction ID (step S121).

[0124] Encryption processing unit 1406 encrypts session key Ks2 appliedby sequential switching of the contact of switches 1444 and 1446 as wellas public encryption key KPmc(1) using session key Ks1 applied fromdecryption processing unit 1406 via contact Pa of switch 1442, whereby{Ks2//KPm(1)}Ks1 is output onto data bus BS3 (step S122).

[0125] Encrypted data {Ks2//KPm(1)}Ks1 output onto data bus BS3 istransmitted from data bus BS3 to cellular phone 100 via terminal 1202and memory interface 1200, and then transmitted from cellular phone 100to distribution server 30 (step S124).

[0126] Distribution server 30 receives encrypted data {Ks2//KPm(1)}Ks1to execute a decryption process using session key Ks1 by decryptionprocessing unit 320. Session key Ks2 generated at the memory card andpublic encryption key KPm(1) unique to memory card 110 are accepted(step S126).

[0127] Distribution control unit 315 generates access restrictioninformation AC1 and reproduction circuit restriction information AC2according to the content ID and license purchase condition data ACobtained at step S106 (step S130). Also, license key Kc to decrypt theencrypted content data is obtained from information database 304 (stepS132).

[0128] Distribution control unit 315 applies the obtained license key Kcand reproduction circuit restriction information AC2 to encryptionprocessing unit 324. Encryption processing unit 324 encrypts license keyKc and reproduction circuit restriction information AC2 using secretcommon key Kcom obtained from Kcom hold unit 322 (step S134).

[0129] Encrypted data {Kc//AC2}Kcom output from encryption processingunit 324, and the transaction ID, content ID and access restrictioninformation AC1 output from distribution control unit 315 are encryptedby encryption processing unit 326 using a public encryption key KPm(1)unique to memory card 110 obtained by decryption processing unit 320(step S136).

[0130] Encryption processing unit 328 receives the output of encryptionprocessing unit 326 and applies encryption using session key Ks2generated by memory card 110 (step S137).

[0131] Distribution control unit 315 records access restrictioninformation AC1, reproduction circuit restriction information AC2,public encryption key KPm(1), session key Ks2 in log data administrationdatabase 306 together with the information of settled accounting(accounting status flag) (step S138).

[0132] Encrypted data {{{Kc//AC2}Kcom//transaction ID//contentID//AC1}Km(1)}Ks2 output from encryption processing unit 328 istransmitted to cellular phone 100 via data bus BS1 and communicationdevice 350 (step S139).

[0133] By transferring respective session keys generated at thetransmission server and memory card to each other to execute encryptionusing respective received encryption keys and transmitting the encrypteddata to the other party, authentication of each other can be virtuallyconducted in the transmission/reception of respective encrypted data.Thus, security of the data distribution system can be improved.Furthermore, distribution server 30 will record and store the accountingstatus and information associated with the distribution history.

[0134] Cellular phone 100 receives the transmitted encrypted data{{{Kc//AC2}Kcom//transaction ID//content ID//AC1}Km(1)}Ks2 (step S140).At memory card 110, the received data applied onto data bus BS3 viamemory interface 1200 is decrypted by decryption processing unit 1412.Specifically, decryption processing unit 1412 decrypts the receptiondata on data bus BS3 using session key Ks2 applied from session keygeneration unit 1418 and provides the decrypted data onto data bus BS4(step S144).

[0135] Referring to FIG. 8, data {{Kc//AC2}Kcom//license ID//contentID//AC1}Km(1) decryptable with private decryption key Km(1) stored inKm(1) store unit 1421 is output onto data bus BS4 at the stage of stepS144. This data {{Kc//AC2}Kcom//transaction ID//content ID//AC1}Km(1) isfirst decrypted by a private decryption key Km(1), whereby data{Kc//AC2}Kcom, the transaction ID, content ID, and access controlinformation AC1 which are the reproduction information are accepted(step S146).

[0136] The transaction ID, content ID and access restriction informationAC1 are recorded in license information hold unit 1440. Data{Kc//AC2}Kcom is encrypted again with public encryption key KPm(1) andstored in memory 1415 as data {{Kc//AC2}Kcom}Km(1) (step S148).

[0137] The reception log in log memory 1460 is erased (step S150).

[0138] The process from step S121 to step S150 is referred to as the“reproduction information obtain step”. In this “reproductioninformation obtain step”, the accounting subject process is carried out.

[0139] At the stage of proper completion of the process up to step S150,a content data distribution request is issued from cellular phone 100 todistribution server 30 (step S152).

[0140] In response to reception of a content data distribution request,distribution server 30 obtains encrypted content data {Data}Kc andadditional information Data-inf from information database 304 andoutputs the same via data bus BS1 and communication device 350 (stepS154).

[0141] Cellular phone 100 receives {Data}Kc//Data-inf, and acceptsencrypted content data {Data}Kc and additional information Data-inf(step S156). Encrypted content data {Data}Kc and additional informationData-inf are transmitted onto data bus BS3 of memory card 110 via memoryinterface 1200 and terminal 1202. At memory card 110, the receivedencrypted content data {Data}Kc and additional information Data-inf aredirectly stored in memory 1415 (step S158).

[0142] The process from step S152 to step S158 is referred to as the“content data obtain step”. In this “content data obtain step”, aprocess not subject to accounting is carried out.

[0143] A distribution acceptance notification is transmitted from memorycard 110 to distribution server 30 (step S160). Upon reception of thedistribution acceptance at distribution server 30 (step S162), thedistribution end process is executed accompanying storage of theaccounting data into account database 302 (step S164). Thus, thedistribution server process ends (step S170).

Reconnection Operation

[0144] The process when reconnection is to be established to receivedistribution again when the communication line is disrupted during thestage of the above-described process of the distribution operation willbe described hereinafter. FIG. 9 is a flow chart to describe areconnection process.

[0145] User 1, for example, requests reconnection through the key buttonor the like on keyboard 1108 of cellular phone 100, whereby thereconnection process is initiated (step S200).

[0146] Controller 1106 of cellular phone 100 determines the processingstep where communication was disrupted (step S202). If disruption hasoccurred in the transaction ID obtain step, the basic distributionprocess of FIGS. 6-8 (first reconnection process) is effected since itis not relevant to accounting (step S204). Then, the reconnectionprocess ends (step S206).

[0147] When determination is made that the step where communication hasbeen disrupted is the license obtain step (step S202), controller 1106carries out a second reconnection process based on a reception log thatwill be described afterwards (step S206). When communication has beendisrupted in the content data obtain step (step S202), a thirdreconnection process to continue communication corresponding tocommunication disruption that will be described afterwards is effected(step S206). Then, the reconnection process ends (step S210).

Second Reconnection Process

[0148]FIGS. 10, 11 and 12 are the first, second and third flow charts,respectively, to describe a second reconnection process in the datadistribution system of the first embodiment. By comparing the licensedistribution log of license server 10 and the reception log of memorycard 110, the reproduction information distribution status whencommunication has been disrupted is confirmed to realize reliability forthe user while protecting the rights of copyright owners.

[0149] Referring to FIG. 10, user 1 operates the key button of keyboard1108 of cellular phone 100 to issue a reconnection request. In response,the second reconnection process is initiated (step S300).

[0150] In response to this reconnection request, the transaction IDstored in log memory 1460 is output at memory card 110 (step S302).

[0151] Cellular phone 100 transmits the transaction ID accepted frommemory card 110 towards distribution server 30 (step S304).

[0152] At distribution server 30, the transaction ID is received (stepS306). Distribution control unit 315 retrieves the license distributionlog from log administration database 306 (step S308).

[0153] When an accounting process has been already performed for theterminal that has requested reconnection (cellular phone 100 and memorycard 110) from the received transaction ID (step S308), distributioncontrol unit 315 obtains public encryption key KPmc(1) from the licensedistribution log (step S310).

[0154] Session key generation unit 316 generates a session key Ks1 fordistribution. Session key Ks1 is encrypted by encryption processing unit318 using public encryption key KPmc(1) (step S312).

[0155] The transaction ID and encrypted session key {Ks1}Kmc(1) areoutput via data bus BS1 and communication device 350 (step S314).

[0156] In response to reception of the transaction ID and encryptedsession key {Ks1}Kmc(1) at cellular phone 100 (step S316), decryptionprocessing unit 1404 of memory card 110 decrypts the received dataapplied onto data bus BS3 via memory interface 1200 using a privatedecryption key Kmc(1) unique to memory card 110 stored in hold unit1402, whereby session key Ks1 is decrypted and extracted (step S318).

[0157] The subsequent steps are similar to the process after step S121of FIG. 7, i.e., the process following the license obtain step.

[0158] When determination is made that the accounting process has notbeen completed as a result of looking in the license distribution logfrom log administration database 306 by distribution control unit 315 atstep S308, public encryption key KPmc(1) is obtained from the licensedistribution log (step S330).

[0159] Then, session key generation unit 316 at distribution server 30generates a session key Ks1 for distribution. Session key Ks1 isencrypted by encryption processing unit 318 using public encryption keyKPmc(1) (step S332).

[0160] The transaction ID and encrypted session key {Ks1}Kmc(1) areoutput via data bus BS1 and communication device 350 (step S334).

[0161] In response to reception of the transaction ID and encryptedsession key {Ks1}Kmc(1) at cellular phone 100 (step S336), decryptionprocessing unit 1404 decrypts the reception data applied onto data busBS3 via memory interface 1200 using private decryption key Kmc(1) uniqueto memory card 110 stored in hold unit 1402, whereby session key Ks1 isdecrypted and extracted (step S338).

[0162] Encryption processing unit 1406 encrypts the received log withsession key Ks1 to generate {reception log}Ks1 (step S340).

[0163] Referring to FIG. 11, controller 1420 designates session keygeneration unit 1418 to generate a session key Ks2′ generated in thedistribution operation of the memory card (step S342).

[0164] Encryption processing unit 1406 encrypts session key Ks2′ appliedvia the contacts of switches 1444 and 1446 using session key Ks1 appliedfrom decryption processing unit 1404 via contact Pa of switch 1442 togenerate {Ks2′}Ks1. The generated data {reception log}Ks1 and {Ks2′}Ks1are output from memory card 110 (step S344).

[0165] Encrypted data {reception log}Ks1 and {Ks2′}Ks1 output onto databus BS3 are transmitted from data bus BS3 to cellular phone 100 viaterminal 1202 and memory interface 1200, and transmitted from cellularphone 100 to distribution server 30 (step S346).

[0166] Distribution server 30 receives encrypted data {reception log}Ks1and {Ks2′}Ks1. Decryption processing unit 320 executes a decryptionprocess using session key Ks1, whereby session key Ks2′ generated by thereception log and memory card is accepted (step S348).

[0167] Then, distribution control unit 316 verifies the authenticity ofthe received reception log (step S350).

[0168] When authenticity of the reception log is not verified, thesecond reconnection process ends (step S390).

[0169] In contrast, when the authenticity of the reception log isverified, distribution control unit 315 obtains the content ID, accessrestriction information AC1, reproduction circuit restrictioninformation AC2 and public encryption key KPm(1) from the licensedistribution log (step S352). Then, license key Kc to decrypt theencrypted content data is obtained from information database 304 (stepS354).

[0170] Distribution control unit 315 applies the obtained license key Kcand reproduction circuit restriction information AC2 to encryptionprocessing unit 324. Encryption processing unit 324 encrypts license keyKc and reproduction circuit restriction information AC2 using secretcommon key Kcom obtained from Kcom hold unit 322 (step S356).

[0171] Encrypted data {Kc//AC2}Kcom output from encryption processingunit 324 and the transaction ID, content ID and access restrictioninformation AC1 output from distribution control unit 315 are encryptedby encryption processing unit 326 using public encryption key KPm(1)unique to memory card 110 obtained at step S352 (step S358).

[0172] Encryption processing unit 328 receives the output of encryptionprocessing unit 326 to encrypt the output using session key Ks2′generated at memory card 110 (step S360).

[0173] Encrypted data {{{Kc//AC2}Kcom//transaction ID//contentID//AC1}Km(1)}Ks2′ output from encryption processing unit 328 istransmitted to cellular phone 100 via data bus BS1 and communicationdevice 350 (step S362).

[0174] Cellular phone 100 receives the transmitted encryption data{{{Kc//AC2}Kcom//transaction ID//content ID//AC1}Km(1)}Ks2′ (step S364).

[0175] Referring to FIG. 12, memory card 110 has the reception dataapplied onto data bus BS3 via memory interface 1200 decrypted bydecryption processing unit 1412. Specifically, decryption processingunit 1412 uses session key Ks2′ applied from session key generation unit1418 to decrypt the reception data on data bus BS3, and provides thedecrypted data onto data bus BS4 (step S366).

[0176] At this stage, data {{Kc//AC2}Kcom//transaction ID//contentID//AC1}Km(1) decryptable with private decryption key Km(1) stored inKm(1) hold unit 1421 is output onto data bus BS4. This data{{Kc//AC2}Kcom//transaction ID//content ID//AC1}Km(1) is decrypted withprivate decryption key Km(1), whereby data {Kc//AC2}Kcom, thetransaction ID, the content ID, and access restriction information AC1corresponding to the reproduction information are accepted (step S368).

[0177] The transaction ID, content ID, access restriction informationAC1 are stored in license information hold unit 1440. Data {Kc//AC2}Kcomis encrypted again using a private decryption key KPm(1) and stored inmemory 1415 as data {{Kc//AC2}Kcom}Km(1) (step S370).

[0178] Also, the reception log is erased from log memory 1460 (stepS372).

[0179] At the stage of proper completion of the process up to step S372,a content data distribution request is issued from cellular phone 100 todistribution server 30 (step S374).

[0180] In response to this content data distribution request,distribution server 30 obtains encrypted content data {Data}Kc andadditional information Data-inf from information database 304. Thesedata are output via data bus BS1 and communication device 350 (stepS376).

[0181] Cellular phone 100 receives {Data}Kc//Data-inf, and acceptsencrypted content data {Data}Kc and additional information Data-inf(step S378). Encrypted content data {Data}Kc and additional informationDatainf are transmitted onto data bus BS3 of memory card 110 via memoryinterface 1200 and terminal 1202. At memory card 110, the receivedencrypted content data {Data}Kc and additional information Data-inf aredirectly stored in memory 1415 (step S380).

[0182] A distribution reception notification is transmitted from memorycard 110 to distribution server 30 (step S382). When the distributionacceptance is received at distribution server 30 (step S384), thedistribution end process is executed (step S386). The process of thedistribution server ends (step S390).

Third Reconnection Process

[0183]FIG. 13 is a flow chart to describe a third reconnection operationin the data distribution system of the first embodiment.

[0184] Referring to FIG. 13, user 1 sends a reconnection request throughthe key button on keyboard 1108 of cellular phone 100. In response, athird reconnection process is initiated (step S400).

[0185] In response to this reconnection request, cellular phone 100sends a content data distribution request to distribution server 30(step S402).

[0186] In response to this content data distribution request,distribution server 30 obtains encrypted content data {Data}Kc andadditional information Data-inf from information database 304. Thesedata are output via data bus BS1 and communication device 350 (stepS404).

[0187] Cellular phone 100 receives {Data}Kc//Data-inf, and acceptsencrypted content data {Data}Kc and additional information Data-inf(step S406). Encrypted content data {Data}Kc and additional informationDatainf are transmitted onto data bus BS3 of memory card 110 via memoryinterface 1200 and terminal 1202. At memory card 110, the receivedencrypted content data {Data}Kc and additional information Data-inf aredirectly stored in memory 1415 (step S408).

[0188] Then, a distribution acceptance notification is transmitted frommemory card 110 to distribution server 30 (step S410). When distributionserver 30 receives this distribution acceptance (step S412), adistribution end process is executed (step S414). The process of thedistribution server ends (step S416).

Reconnection Operation When Line Is Cut During Reconnection Operation

[0189] The process of establishing reconnection to receive distributionagain in the case where the communication line is cut off in the stageof the processing step of the above-described reconnection operationwill be described here. FIG. 14 is a flow chart to describe such areconnection process.

[0190] User 1, for example, operates the key button on keyboard 1108 ofcellular phone 100 to send a reconnection request. The reconnectionprocess is initiated (step S500).

[0191] Based on the license reception standby log stored in memory card110, controller 1106 determines the step where communication has beendisrupted (step S502). When communication has been disrupted at thelicense obtain step or license reobtain step, the second reconnectionprocess is performed again (step S504). Then, the reconnection processends (step S508).

[0192] When determination is made that the step where communication hasbeen disrupted is the content data obtain step by controller 1106 (stepS502), a third reconnection process that will be described afterwards iscarried out (step S506). Then, the reconnection process ends (stepS508).

[0193] By virtue of such a structure, reconnection can be establishedeven in the case where the communication line has been disrupted in theprocessing step. Thus, the reliability of the system is furtherimproved.

Second Embodiment

[0194] The data distribution system of the second embodiment differs inthe data distribution system of the first embodiment in that the licensereception standby log stored in log memory 1460 in memory card 110 isnot erased, as will be described hereinafter. Corresponding to thismodification, the reception log includes, in addition to the structureof the first embodiment, a reception status flag.

[0195] The data distribution system of the second embodiment differsfrom the first embodiment in the operation of controller 1420 in memorycard 110 and the data stored in log memory 1460.

[0196]FIGS. 15, 16 and 17 are the first, second and third flow charts,respectively, to describe a distribution operation in the event ofpurchasing content in the data distribution system of the secondembodiment, and is comparable to FIGS. 6-8 of the first embodiment.

[0197] FIGS. 15-17 correspond to the operation of user 1 receiving musicdata distribution from distribution server 30 via cellular phone 100 byusing memory card 110.

[0198] The difference from the flow of the first embodiment is that, atstep S121′ of FIG. 16 following the transaction ID obtain step,controller 1420 designates session key generation unit 1418 to generatea session key Ks2 generated during the distribution operation of thememory card upon confirming acceptance of session key Ks1 generated atdistribution server 30. Furthermore, controller 1420 records a receptionstatus flag attaining an ON status indicating a reception wait state asthe reception log in log memory 1460 together with session key Ks2 andthe received transaction ID (step S121′).

[0199] Referring to FIG. 17, at step S148, the transaction ID, contentID and access restriction information AC1 are recorded in licenseinformation hold unit 1440. Data {Kc//AC2}Kcom is encrypted by publicencryption key KPm(1), and stored in memory 1415 as data{{Kc//AC2}Kcom}Km(1). Then, the reception status flag in the receptionlog in log memory 1460 attains an OFF status indicating that receptionhas ended (step S150′).

[0200] The remaining process is similar to that of the first embodiment.The same steps have the same reference characters allotted, anddescription thereof will not be repeated.

Reconnection Operation

[0201] Similar to FIG. 9 of the first embodiment, the second embodimentcarries out a reconnection process to receive distribution again whenthe communication line has been disrupted at the stage of the processingstep of the distribution operation.

[0202] It is to be noted that the second reconnection process ispartially modified from that of the first embodiment.

Second Reconnection Process

[0203]FIGS. 18, 19 and 20 are the first, second and third flow charts,respectively, to describe a second reconnection operation in the datadistribution system of the second embodiment, and are comparable toFIGS. 10-12 of the first embodiment.

[0204] Difference from the process of the first embodiment is thatcontrol proceeds to step S121′ of FIG. 16 after accepting session keyKs1 at step S318, and the transaction ID, content ID and accessrestriction information AC1 are recorded in license information holdunit 1440 at step S370 shown in FIG. 20. Data {Kc//AC2}Kcom is encryptedusing public encryption key KPm(1), and stored in memory 1415 as data{{Kc//AC2}Kcom}Km(1). Then at step S372′, a process of rendering thereception status flag of the reception log OFF indicating that receptionhas ended is carried out.

[0205] The remain process is similar to that of first embodiment.Corresponding steps have the same reference characters allotted, anddescription thereof will not be repeated.

[0206] The third reconnection process as well as the reconnectionoperation when the line is cut off during a reconnection operation aresimilar to the process of FIG. 1.

[0207] By such a structure, reconnection can be established even in thecase where the communication line is disrupted in the processing step.Thus, the reliability of the system is further improved.

Third Embodiment

[0208] The distribution system of the third embodiment differs from thedata distribution system of the second embodiment in that statusinformation with a status flag is transmitted to the server in thereception log stored in log memory 1460 in memory card 110.

[0209] The status information includes the transaction ID, session keyKs2, reception status flag and status flag corresponding to thereception log.

[0210] Here, the license status flag is a flag variable of 3 states. Thelicense status flag takes the value of “01h” when the transaction IDrecorded in the reception log is present in license information holdunit 1440 of memory card 110, corresponding reproduction information ispresent, and reproduction is not inhibited by the access restrictioninformation stored in license information hold unit 1440, i.e. when in areproducible state; takes the value of “00h” when there is thetransaction ID in the license information hold unit, and there is nocorresponding reproduction information or when reproduction is inhibitedby the access restriction information stored in license information holdunit 1440 so that reproduction cannot be performed; and takes the valueof “FFh” when there is no transaction ID.

[0211] The structure of the data distribution system of the thirdembodiment differs in the operation of controller 1420 of memory card110 and the data stored in log memory 1460 as will be describedhereinafter.

[0212] The distribution operation and reconnection operation of thethird embodiment are similar to those of the second embodiment exceptfor the second reconnection process set forth below.

Second Reconnection Process

[0213]FIGS. 21, 22, 23 and 24 are the first, second, third and fourthflow charts, respectively, to describe the second reconnection operationof the data distribution system of the third embodiment.

[0214] Referring to FIG. 21, the process from step S300 to step S338 issimilar to the second reconnection operation of the second embodiment.

[0215] At step S338, the reception data applied onto data bus BS3 viamemory interface 1200 in memory card 110 is decrypted by decryptionprocessing unit 1404 using private decryption key Kmc(1) unique tomemory card 110 stored in hold unit 1402, whereby session key Ks1 isdecrypted and extracted. Then, controller 1420 in memory card 110retrieves data stored in license information hold unit 1440 according tothe transaction ID in the reception log stored in log memory 1460 (stepS640).

[0216] Controller 1420 checks whether there is a transaction ID inlicense information hold unit 1440 (step S642).

[0217] When there is no transaction ID, the license status flag is setto “FFh” (step S644), and control proceeds to step S652.

[0218] When there is the transaction ID at step S642, controller 1420confirms the status of access restriction information AC1 stored inlicense information hold unit 1440 and whether a corresponding licensekey Kc is recorded in memory 1415 (step S646). When reproduction isallowed, the license status flag is set to “01h” (step S648). Whenreproduction is not allowed, the license status flag is set to “00h”(step S650). Then, control proceeds to step S652).

[0219] The status information with the status flag added to thereception log stored in log memory 1460 is generated (step S652).

[0220] Controller 1462 designates session key generation unit 1418 togenerate a session key Ks2′ generated in the distribution operation ofthe memory card (step S654).

[0221] Decryption processing circuit 1406 decrypts the statusinformation and session key Ks2′ using session key Ks1 (step S656).

[0222] Controller 1420 obtains the hash value according to the hashfunction corresponding to encrypted data {status information//Ks2′}Ks1to generate signature data “hash” for encrypted data {statusinformation//Ks2′}Ks1 (step S658).

[0223] Encryption processing unit 1406 encrypts the signature data hashapplied under control of controller 1420 using session key Ks1 appliedfrom decryption processing unit 1402 via contact Pa of switch 1442 togenerate encrypted signature data {hash}Ks1 (step S660).

[0224] The generated data {status information//Ks2′}Ks1 and encryptedsignature data {hash}Ks1 are output from memory card 110 (step S662).

[0225] Encrypted data {status information//Ks2′}Ks1 and encryptedsignature data {hash}Ks1 output onto data bus BS3 are transmitted fromdata bus BS3 to cellular phone 100 via terminal 1202 and memoryinterface 1200, and transmitted from cellular phone 100 to distributionserver 30 (step S644).

[0226] Distribution server 30 receives encrypted data {statusinformation//Ks2′}Ks1 and encrypted signature data {hash}Ks1 (stepS666).

[0227] Referring to FIG. 23, decryption processing unit 320 ofdistribution server 30 executes a decryption process on encryptedsignature data {hash}Ks1 using session key Ks1 to obtain signature datahash corresponding to encrypted data {status information//Ks2′}Ks1.Then, the authenticity of the status information is checked based onencrypted data {status information//Ks2′}Ks1 and the signature data(step S668).

[0228] The process ends if the status information is not proper (stepS712). When the authenticity of the status information is verified, adecryption process is executed using session key Ks1. The statusinformation and session key KS2′ generated by the memory card areaccepted (step S670).

[0229] Distribution control unit 315 verifies the authenticity of thereproduction information retransmission request based on the receivedstatus information and license distribution log (step S672).

[0230] When the authenticity of the reproduction informationretransmission request is not verified, the second reconnection processends (step S712).

[0231] In contrast, if the authenticity of the reproduction informationtransmission request is verified, distribution control unit 315 obtainsthe content ID, access restriction information AC1, reproduction circuitrestriction information AC2 and public encryption key KPm(1) from thelicense distribution log (step S674). Then, license key Kc to decryptthe encrypted content data is obtained from information database 304(step S676).

[0232] Distribution control unit 315 applies the obtained license key Kcand reproduction circuit restriction information AC2 to encryptionprocessing unit 324. Encryption processing unit 324 encrypts license keyKc and reproduction circuit restriction information AC2 using secretcommon key Kcom obtained from Kcom hold unit 322 (step S678).

[0233] Encrypted data {Kc//AC2}Kcom output from encryption processingunit 324, and the transaction ID, content ID and access restrictioninformation AC1 output from distribution control unit 315 are encryptedby encryption processing unit 326 using public encryption key KPm(1)unique to memory card 1110 obtained at step S674 (step S680).

[0234] Encryption processing unit 328 receives the output of encryptionprocessing unit 326 to encrypt the same using session key Ks2′ generatedat memory card 110 (step S682).

[0235] The encrypted data {{{Kc//AC2}Kcom//transaction ID//contentID//AC1}Km(1)}Ks2′ output from encryption processing unit 328 istransmitted to cellular phone 100 via data bus BS1 and communicationdevice 350 (step S684).

[0236] Cellular phone 100 receives the transmitted encrypted data{{{Kc//AC2}Kcom//transaction ID//content ID//AC1}Km(1)}Ks2′ (step S686).

[0237] Referring to FIG. 24, memory card 110 has the reception dataapplied onto data bus BS3 via memory interface 1200 decrypted bydecryption processing unit 1412. Decryption processing unit 1412 usessession key Ks2′ applied from session key generation unit 1418 todecrypt the reception data on data bus BS3. The decrypted data is outputonto data bus BS4 (step S690).

[0238] At this stage, data {{Kc//AC2}Kcom//license ID//contentID//AC1}Km(1) that can be decrypted with private decryption key Km(1)stored in Km(1) hold unit 1421 is output. This data{{Kc//AC2}Kcom//transaction ID//content ID//AC1}Km(1) is decrypted bypublic encryption key Km(1), whereby data {Kc//AC2}Kcom, the transactionID, content ID and access restriction information AC1 are accepted (stepS692).

[0239] The transaction ID, content ID, access restriction informationAC1 are recorded in license information hold unit 1440. Data{Kc//AC2}Kcom is encrypted with public encryption key KPm(1), and storedin memory 1415 as data {{Kc//AC2}Kcom}Km(1) (step S694).

[0240] Then, the reception status flag in the reception log in logmemory 1460 is altered to the off state indicating that reception hasended (step S696).

[0241] At the stage of proper completion of the process up to step S372,a content data distribution request is issued from cellular phone 100 todistribution server 30 (step S698).

[0242] In response to this content data distribution request,distribution server 30 obtains encrypted content data {Data}Kc andadditional information Data-inf from information database 304. Thesedata are output via data bus BS1 and communication device 350 (stepS700).

[0243] Cellular phone 100 receives {Data}Kc//Data-inf, and acceptsencrypted content data {Data}Kc and additional information Data-inf(step S702). Encrypted content data {Data}Kc and additional informationData-inf are transmitted onto data bus BS3 of memory card 110 via memoryinterface 1200 and terminal 1202. At memory card 110, the receivedencrypted content data {Data}Kc and additional information Data-inf aredirectly stored in memory 1415 (step S704).

[0244] A distribution acceptance notification is transmitted from memorycard 110 to distribution server 30 (step S706). When the distributionacceptance is received at distribution server 30 (step S708), thedistribution end process is executed (step S710). The process of thedistribution server ends (step S712).

[0245] The above description is based on a structure in which all thestatus information is encrypted using session key Ks1 at step S654, andencrypted data {status information//Ks2′}Ks1 is transmitted todistribution server 30 at steps S622 and S624.

[0246] The transaction ID in the status information is required only toidentify its source so that its security is not so important. Since thesource becomes apparent by encrypted signature data {hash}Ks1, thetransaction ID does not have to be encrypted and can be transmitted todistribution server 30 in plaintext. In this case, the statusinformation will be transmitted as transaction ID//{status informationexcluding transaction ID//Ks2′}Ks1, and signature data hash will begenerated correspondingly.

[0247] By such a structure, reconnection can be established even whenthe communication line has been cut off in the processing step. Thus,the reliability of the system is further improved.

[0248] The data distribution system of the first to third embodimentswas described in which encryption and decryption are carried out usingsecret common key Kcom at distribution server 30 and cellular phone 100.A structure implementing encryption and decryption without this secretcommon key Kcom is allowed.

[0249] In other words, a structure can be implemented in whichdistribution server 30 corresponding to the data distribution system ofthe first embodiment described with reference to FIG. 3 is absent ofKcom hold unit 322 and encryption processing unit 324. Morespecifically, license key Kc and reproduction circuit restrictioninformation AC2 output from distribution control unit 315 can bedirectly transmitted to encryption processing unit 326 in distributionserver 30.

[0250] Furthermore in comparison to the structure of cellular phone 100described with reference to FIG. 4 in the first embodiment, a structurecan be implemented absent of Kcom hold unit 1512 storing a secret commonkey Kcom and a decryption processing unit 1514 using secret common keyKcom.

[0251] In cellular phone 101 of such a structure, license key Kc isdirectly obtained by decryption processing unit 1510 that executes adecryption process using session key Ks4 in view that an encryptionprocess is not performed with a secret symmetric key as a symmetricencryption key in distribution server 30. Therefore, license key Kc isdirectly applied to decryption processing unit 1510.

[0252] In a structure where encryption and decryption is not effectedusing secret common key Kcom, memory card 110 can be used intact.

[0253] In a distribution process of such a case, content key Kc andreproduction circuit restriction information AC2 are transmitted andstored without being encrypted with secret common key Kcom. Theencryption process and corresponding decryption process by secret commonkey Kcom are no longer required. The remaining elements are similar tothose of the operation of the first to third embodiments.

[0254] By such a structure, a data distribution system that enjoysadvantages similar to those of the data distribution system of the firstto third embodiments can be developed with a structure that does noteffect an encryption process associated with secret common key Kcom.

[0255] The above-described first to third embodiments may be subject tomodifications set forth below.

[0256] The first to third embodiments had data {Kc//AC2}Kcom (or dataKc//AC2 in the structure without key Kcom as mentioned above) encryptedby public encryption key KPm(1), and recorded in license informationstorage unit 1440. However, the second encryption using publicencryption key KPm(1) is not necessary if stored in license informationhold unit 1440 provided in the TRM. Advantages similar to those of thefirst to third embodiments can be provided even if the entirereproduction information is stored in license information hold unit1440. In this case, step S148 of FIG. 8 and step S370 of FIG. 12 in thefirst embodiment are to be modified to “record the transaction ID,content ID, AC1, {Kc//AC2}Kcom in the license information hold unit”.Also, step S148 of FIG. 17 and step S370 of FIG. 20 in the secondembodiment and step S694 of FIG. 24 in the third embodiment are to bemodified similarly to “record the transaction ID, content ID, AC1,{Kc//AC2}Kcom in the license information hold unit.” If a structurewithout key Kcom is to be implemented corresponding to modifications offirst to third embodiments, the process is to be modified to “record thetransaction ID, content ID, AC1, Kc//AC2 in the license information holdunit.”The data distribution system of the first to third embodiments toreceive reproduction information distribution from the distributionserver are described so that authentication data {KPm(1)}KPma and{KPp(1)}KPma of the memory card and cellular phone (content reproductioncircuit) are transmitted to the distribution server (step S104), andreceived at the distribution server (step S106), decrypted usingauthentication key KPma (step S108), and then conducting anauthentication process with respect to both the memory card and cellularphone (content reproduction circuit) according to the decryption result.However, based on the fact that i) the content reproduction circuit toreproduce music does not necessarily have to be the cellular phonereceiving distribution since the memory card is detachable, and ii) inreproduction, an authentication process of authentication data{KPm(1)}KPma of the content reproduction circuit of the outputdestination is carried out in providing a portion of the reproductioninformation (license key Kc and reproduction circuit restrictioninformation AC) from the memory card so that the security will not bedegraded even if an authentication process of authentication data{KPm(1)}KPma of the content reproduction circuit in the distributionserver does not have to be carried out, a structure can be implementedin which the authentication process by authentication data {KPm(1)}KPmaof the content reproduction circuit of the distribution server is notcarried out.

[0257] In this case, the cellular phone transmits the content ID, memorycard authentication data {KPm(1)}KPma and license purchase conditiondata AC at step S104. The distribution server transmits the content ID,memory card authentication data {KPm(1)}KPma and license purchasecondition data Ac at step S106, and authentication data {KPm(1)}KPma isdecrypted using authentication key KPma to accept public encryption keyKPm(1) at step S108. Then, at step S10, an authentication process todetermine whether public encryption key KPm(1) has been output from aproper apparatus is conducted by authentication of the authenticationserver based on the decrypted result. The subsequent process is to becarried out according to the authentication result based onauthentication data {KPm(1)}KPma of the memory card. There is no changein the reproduction process.

[0258] In the above description, storage of the distribution informationis effected by a memory card. However, the present invention is notlimited to such a case. More specifically, the present invention isapplicable to a more general recording apparatus as long as the functionof recording and encryption or the like similar to that of a memory cardas described above is possessed. Here, the recording apparatus is notlimited to a structure such as a memory card that is detachable from acommunication device such as the cellular phone, and may be incorporatedinto a communication device.

[0259] Although the present invention has been described and illustratedin detail, it is clearly understood that the same is by way ofillustration and example only and is not to be taken by way oflimitation, the spirit and scope of the present invention being limitedonly by the terms of the appended claims.

1. (Amended) A data recording apparatus (110) to receive and recordreproduction information associated with reproduction of encryptedcontent data, including a content key to decrypt said encrypted contentdata into plaintext, through a communication path, said data recordingapparatus comprising: a data communication unit to establish acommunication path with a transmission source of said reproductioninformation to receive said reproduction information transmitted in anencrypted state, a first storage unit (1415, 1440) to store dataassociated with said reproduction information applied from said datacommunication unit, an information extraction unit performing a processof storing data associated with said reproduction information from saiddata communication unit into said first storage unit, and extractingsaid reproduction information based on data stored in said first storageunit, a second storage unit (1460) receiving said reproductioninformation to record reception log information indicating a processingstatus of a reception process to record in said first storage unit, anda control unit (1420) to control operation of said data recordingapparatus, wherein said control unit transmits through said datacommunication unit said reception log information recorded in saidsecond storage unit according to a request.
 2. (Amended) The datarecording apparatus according to claim 1, wherein said datacommunication unit comprises a first key hold unit (1402) storing afirst private decryption key to decrypt data encrypted by a first publicencryption key predefined corresponding to said data recordingapparatus, a first decryption processing unit (1404) to apply adecryption process, receiving a first symmetric key updated andtransmitted for each communication of said reproduction information, andencrypted with said first public encryption key, a second key hold unit(1416) to store a second public encryption key unique to each said datarecording apparatus, a key generation unit (1418) generating a secondsymmetric key updated for each communication of said reproductioninformation, a first encryption processing unit (1406) encrypting saidsecond public encryption key and said second symmetric key based on saidfirst symmetric key for output, and a second decryption processing unit(1412) receiving said reproduction information encrypted with saidsecond public encryption key and further encrypted with said secondsymmetric key to decrypt said reproduction information based on saidsecond symmetric key, wherein said information extraction unit comprisesa third key hold unit (1421) storing a second private decryption key todecrypt data encrypted with said second public encryption key, and athird decryption processing unit (1422) carrying out a decryptionprocess for said second private decryption key in a procedure of aprocess of storing data associated with said reproduction informationinto said first storage unit to a process of extracting saidreproduction information, wherein said first storage unit stores saidreproduction information based on an output of said second decryptionprocessing unit or an output of said second decryption processing unit.3. (Amended) The data recording apparatus according to claim 2, whereinsaid first storage unit comprises a third storage unit (1440) to storefirst data which is a portion of said reproduction information excludingsaid content key in a plaintext state, and a fourth storage unit (1415)to store in an encrypted state a portion of said reproductioninformation including all second data excluding said first data of saidreproduction information or all of said reproduction information,wherein said information extraction unit stores in said third storageunit said second data from a result of a decryption process on an outputof said second decryption processing unit by said third decryptionprocessing unit, and comprises a re-encryption processing unitencrypting a portion of said result of a decryption process on theoutput of said second decryption processing unit by said thirddecryption processing unit using said second public encryption key togenerate said first data to be stored in said fourth storage unit. 4.(Amended) The data recording apparatus according to claim 3, whereinsaid third storage unit receives and stores said encrypted content datathat can be decrypted based on said content key.
 5. (Amended) The datarecording apparatus according to claim 2, wherein said informationextraction unit stores in said first storage unit in a plaintext state aresult of a decryption process on an output of said second decryptionprocessing unit by said third decryption processing unit.
 6. (Amended)The data recording apparatus according to claim 5, wherein said firststorage unit comprises a third storage unit (1415) to receive and storesaid encrypted content data that can be decrypted based on said contentkey, and a fourth storage unit (1440) to store said reproductioninformation in plaintext state.
 7. (Amended) The data recordingapparatus according to claim 2, wherein said reception log informationincludes communication identify information to identify said receptionprocess generated at said communication source at every receptionprocess of said reproduction information, and said second symmetric key.8. (Amended) The data recording apparatus according to claim 7, whereinsaid reception log information further includes status informationindicating that said reproduction information is already recorded insaid first storage unit in said reception process.
 9. (Amended) The datarecording apparatus according to claim 1, wherein said reception loginformation is erased from said second storage unit every time saidreproduction information is recorded in said eighth storage unit in saidreception process.
 10. (Amended) The data recording apparatus accordingto claim 9, wherein said status information is flag information renderedon every time transmission of said reproduction information is requestedto said transmission source in said reception process, and rendered offevery time said reproduction information is recorded in said firststorage unit.
 11. (Amended) The data recording apparatus according toclaim 2, further comprising a fifth storage unit (1400) storingauthentication data to conduct an authentication process at atransmission source of said reproduction information, prior to receptionof said reproduction information.
 12. (Amended) The data recordingapparatus according to claim 1, wherein said authentication dataincludes aid first public encryption key.
 13. (Amended) The datarecording apparatus according to claim 11, further comprising means forgenerating signature information based on all or a portion of saidreception log information, wherein said signature informationcorresponding to said reception log information is generated and outputtogether with said reception log information in providing said receptionlog information.
 14. (Amended) The data recording apparatus according toclaim 12, wherein said first encryption processing unit encrypts saidreception log information and said signature information respectivelybased on said first symmetric key, and said data recording apparatustransmitting to said transmission source said reception log informationand said signature information encrypted individually at said firstencryption processing unit.
 15. (Amended) The data recording apparatusaccording to claim 12, said data recording apparatus being a memorycard, and wherein said first storage unit is a nonvolatile semiconductormemory.
 16. (Amended) A data distribution system comprising a datasupply apparatus to supply encrypted content data and reproductioninformation associated with reproduction of encrypted content data,including a content key which is a decryption key to decrypt saidencrypted content data into plaintext, wherein said data supplyapparatus (10) comprises distribution information hold unit (304) tostore said content data and said reproduction information, a firstinterface unit (350) to transfer data with an external source, a firstsession key generation unit (316) generating a first symmetric keyupdated for each distribution of said reproduction information to saidterminal, a session key encryption unit (318) encrypting said firstsymmetric key using a first public encryption key predefinedcorresponding to a terminal of said user, and applying the encrypted keyto said first interface unit, a session key decryption unit (320) todecrypt the second public encryption key and second symmetric keytransmitted in an encrypted state by said first symmetric key, a firstlicense data encryption processing unit (326) to encrypt reproductioninformation to reproduce said encrypted content data using said secondpublic encryption key decrypted by said session key decryption unit, asecond license data encryption processing unit (328) encrypting anoutput of said first license data encryption processing unit with saidsecond symmetric key, and applying the encrypted output to said firstinterface unit for distribution, and a distribution log information holdunit (306) to record distribution log information indicating aprocessing status during said distribution process, said distributionsystem further comprising a plurality of terminals (100) correspondingto a plurality of users, respectively, to receive distribution from saidcontent data supply apparatus via a communication path, wherein eachsaid terminal comprises a second interface unit (1104) to transfer datawith an external source, and a data storage unit (110) receiving andstoring said encrypted content data and said reproduction information,said data storage unit including a first key hold unit (1402) to store afirst private decryption key to decrypt data encrypted with a firstpublic encryption key predefined corresponding to said data storageunit, a first decryption processing unit (1404) to apply a decryptionprocess, receiving a first symmetric key updated and transmitted foreach communication of said reproduction information, and encrypted withsaid first public encryption key, a second key hold unit (1416) to storea second public encryption key differing for each said data storageunit, a key generation unit (1418) generating a second symmetric keyupdated for each communication of said reproduction information, a firstencryption processing unit (1406) encrypting said second publicencryption key and said second symmetric key based on said firstsymmetric key for output, and a second decryption processing unit (1412)receiving reproduction information encrypted with said second publicencryption key and further encrypted with said second symmetric key todecrypt said reproduction information based on said second symmetrickey, a first storage unit (1415, 1440) to store said reproductioninformation based on an output of said second decryption processingunit, a third key hold unit (1421) storing a second private decryptionkey to decrypt data encrypted with said second public encryption key, athird decryption processing unit (1422) performing a decryption processfor said second private decryption key in a procedure of a process ofstoring data associated with said reproduction information into saidfirst storage unit to a process of extracting said reproductioninformation, a second storage unit (1460) to record reception loginformation indicating a processing status in a distribution process ofreproduction information, and a reception control unit (1420)controlling data transfer with an external source, wherein saidreception control unit controls a redistribution process based on saidreception log information when said communication path is cut duringsaid distribution process.
 17. (Amended) The data distribution systemaccording to claim 16, wherein said data storage unit is a memory carddetachable from said terminal.
 18. (Added) The data distribution systemaccording to claim 16, wherein said data storage unit further comprisesa fifth storage unit (1400) storing authentication data to conduct anauthentication process at a transmission source of said reproductioninformation, prior to reception of said reproduction information,wherein said data supply apparatus further comprises means (312) forverifying authenticity of said memory card by authentication data storedin said data storage unit and transmitted, prior to distribution of saidreproduction information, wherein said data supply apparatus transmitssaid reproduction information to said terminal loaded with said datastorage unit when authenticity of said data storage unit is verified insaid authentication process.
 19. (Added/Amended) The data distributionsystem according to claim 16, wherein said distribution log informationincludes reproduction information identify information to identify saiddistribution information to be distributed, a communication identifyinformation to identify said distribution process generated at said datasupply apparatus for each distribution process of said reproductioninformation, and said second symmetric key, wherein said reception loginformation includes said communication identify information and saidsecond symmetric key.
 20. (Added) The data distribution system accordingto claim 16, wherein said reception log information is erased from saidsecond storage unit every time said reproduction information is storedin said first storage unit.
 21. (Added) The data distribution systemaccording to claim 16, wherein said reception log information includes areception status flag rendered on every time distribution of saidreproduction information is requested to said data supply apparatus, andrendered off every time said reproduction information is stored in saidfirst storage unit.
 22. (Added) The data distribution system accordingto claim 16, wherein said reception log information includes at leastsaid communication identify information and said second symmetric key.23. (Added/Amended) A data supply apparatus to supply reproductioninformation to a plurality of terminals (100) corresponding to aplurality of users, respectively, including a data storage unit torecord reproduction information associated with reproduction ofencrypted content data, including a content key which is a decryptionkey to decrypt said encrypted content data into plaintext, and receptionlog information indicating a processing status of said distributionprocess in a distribution process receiving and recording saidreproduction information, said data supply apparatus comprising:distribution information hold unit (304) to store said content data andsaid reproduction information, a first interface unit (350) to transferdata with an external source, a first session key generation unit (316)generating a first symmetric key updated for each distribution of saidreproduction information to said terminal, a session key encryption unit(318) encrypting said first symmetric key using a first publicencryption key predefined corresponding to a terminal of said user, andapplying the encrypted key to said first interface unit, a session keydecryption unit (320) to decrypt the second public encryption key andsecond symmetric key transmitted in an encrypted state by said firstsymmetric key, a first license data encryption processing unit (326) toencrypt reproduction information to reproduce said encrypted contentdata using said second public encryption key decrypted by said sessionkey decryption unit, a second license data encryption processing unit(328) encrypting an output of said first license data encryptionprocessing unit with said second symmetric key, and applying theencrypted output to said first interface unit for distribution, adistribution log information hold unit (306) to record distribution loginformation indicating a processing status during said distributionprocess, and a distribution control unit, wherein said distributioncontrol unit controls a redistribution process based on said receptionlog information and said distribution log information recorded in saiddata storage unit when said communication path is cut during saiddistribution process.
 24. (Added) The data supply apparatus according toclaim 23, wherein said data supply apparatus further comprises means(312) for verifying authenticity of said data storage unit byauthentication data transmitted from said data storage unit andtransmitted, prior to distribution of said reproduction information, andwherein said reproduction information is transmitted when authenticityof said data storage unit is verified in said authentication process.25. (Added/Amended) The data supply apparatus according to claim 23,wherein said distribution log information includes reproductioninformation identify information to identify said distributioninformation to be distributed, a communication identify information toidentify said distribution process generated at said data supplyapparatus for each distribution process of said reproductioninformation, and said second symmetric key, wherein said reception loginformation includes said communication identify information and saidsecond symmetric key.